[Steinar H. Gunderson]
> All three might eventually be truly broken, but you can bet that MD5
> will be the first to go. If you use SHA-256 today instead of MD5, you
> probably buy yourself a few extra years, which you can use to smooth
> out the transition to the next hash function when the world
On Fri, Nov 25, 2005 at 05:19:01PM -0800, Steve Langasek wrote:
> Oh, and BTW, check the IPs of ftp-master.debian.org and
> keyring.debian.org...
Well, at this moment those are distinct, because ftp-master is
temporarily hosted on spohr.debian.org, and not on raff.debian.org,
where keyring.d.o sti
Package: wnpp
Severity: wishlist
Owner: Kari Pahula <[EMAIL PROTECTED]>
* Package name: gearhead
Version : 1.000
Upstream Author : Joseph Hewitt <[EMAIL PROTECTED]>
* URL : http://www.geocities.com/pyrrho12/programming/gearhead/
* License : LGPL
Description
Si deseas desinscribirte de esta lista, envia un correo a [EMAIL PROTECTED] solicitandolo. Gracias
Brian May wrote:
> > "Thiemo" == Thiemo Seufer <[EMAIL PROTECTED]> writes:
>
> >> Well, even if I know naught about it, it looks to me that having
> >> something signed is better than having the same something not signed.
>
> Thiemo> Sorry, but that's a snake oil rationale.
>
> A
* Steve Langasek [Fri, 25 Nov 2005 17:19:01 -0800]:
> how arbitrary users are supposed to verify whether a given key is in the
> keyring. The debian-keyring package doesn't get updated every time there's
> a key added or removed, and the web interface to keyring.debian.org doesn't
> provide any c
On Fri, Nov 25, 2005 at 02:57:36PM +0100, Goswin von Brederlow wrote:
> Steve Langasek <[EMAIL PROTECTED]> writes:
> > On Thu, Nov 24, 2005 at 07:17:06PM +0100, Goswin von Brederlow wrote:
> >> > That's easy: you trust the Packages file to be correct when using apt,
> >> > and it's not verified a
My biggest concern with the Heimdal in experimental, is glob() in
libroken.
To the best of my knowledge, it isn't required because libc6 glob()
does everything required.
I am concerned, because of the potential of the symbols conflicting
with the function in libc6.
The Heimdal configure script c
On Fri, 25 Nov 2005, Nathanael Nerode wrote:
> OK. So I was working on the problem of fixing dpkg-dev so that
>
> foo Depends: foo-data {SourceVersion}, foo-libs {BinaryVersion}
>
> or something similar actually works. By parsing the version numbers.
I'd very much like debhelper or dpkg-* to g
On Sat, Nov 26, 2005 at 10:47:57AM +1100, Brian May wrote:
>>> Well, even if I know naught about it, it looks to me that having
>>> something signed is better than having the same something not signed.
>> Sorry, but that's a snake oil rationale.
> A: Why do you lock your car up[1]?
Because it make
> "Thiemo" == Thiemo Seufer <[EMAIL PROTECTED]> writes:
>> Well, even if I know naught about it, it looks to me that having
>> something signed is better than having the same something not signed.
Thiemo> Sorry, but that's a snake oil rationale.
A: Why do you lock your car up[1]?
On Sat, Nov 26, 2005 at 09:13:02AM +1000, Anthony Towns wrote:
>> Moving away from MD5 is certainly not a bad idea, but it's not clear
>> whether the alternatives are any better. Sure, everyone recommends
>> SHA-256 at this stage, but nobody can give a rationale.
> MD5 is broken; SHA-1 is where MD
On Sat, Nov 26, 2005 at 08:48:45AM +1000, Anthony Towns wrote:
> On Fri, Nov 25, 2005 at 03:13:58PM +0100, Goswin von Brederlow wrote:
> > > You're correct.
> > And he is also wrong.
> > That would result in debs with the same name and version but different
> > md5sums. Something that easily confus
On Fri, Nov 25, 2005 at 09:01:24AM +0100, Rafael Laboissiere wrote:
> * Bastian Blank <[EMAIL PROTECTED]> [2005-11-24 23:45]:
> > | Maintainer: Debian/IA64 Build Daemon <[EMAIL PROTECTED]>
> > | Changed-By: Debian Octave Group <[EMAIL PROTECTED]>
>
> Could you please explain to me why having Chang
Ken Bloom wrote:
Henning Makholm wrote:
Scripsit Chris Boyle <[EMAIL PROTECTED]>
On Thu, Nov 24, 2005 at 06:54:12PM +, paddy wrote:
I though a robots.txt thingy on the list web archive is coming to the
rescue ?
Huh? Isn't having the lists searchable gen
On Fri, Nov 25, 2005 at 07:59:40PM +0100, Florian Weimer wrote:
> * Anthony Towns:
> > (I'm amazed the security "crisis" we're having is about deb sigs
> > *again*, when we're still relying on md5sum which has a public exploit
> > available now...)
> These exploits are irrelevant as far as the Debi
On Fri, Nov 25, 2005 at 02:27:23PM -0200, Henrique de Moraes Holschuh wrote:
> Well, the email about the new bin-NMU structure implied that it was fixed
> for *NMUs done through that structure*.
Then the email was wrong. *shrug*
> > > > My objection is that it's *useless* for *Debian*. Debian h
On Fri, Nov 25, 2005 at 12:49:11PM -0800, Thomas Bushnell BSG wrote:
> Anthony Towns writes:
> > .deb signatures are aimed at giving users some sort of assurance the
> > package is "valid"; but when you actually look into it -- at least in
> > Debian's circumstances -- those signatures can't actua
On Fri, Nov 25, 2005 at 03:13:58PM +0100, Goswin von Brederlow wrote:
> > You're correct.
> And he is also wrong.
> That would result in debs with the same name and version but different
> md5sums. Something that easily confuses apt-get and people.
And yet, somehow people manage partial cross-grad
Package: wnpp
Severity: wishlist
Owner: Patrick Das Gupta <[EMAIL PROTECTED]>
* Package name: me-jasspa
Version : 20050505
Upstream Author : Jon Green
* URL : http://www.jasspa.com/
* License : GPL
Description : A lightweight but fully featured editor
Ja
Goswin von Brederlow <[EMAIL PROTECTED]> writes:
> The archive signing key gives absolutely no integrity ensurance on the
> deb package. The only thing it insures is that the file was not
> altered _after_ leaving ftp.de.debian.org for the mirrors and/or
> user. In no way does it prevent altering
Anthony Towns writes:
> .deb signatures are aimed at giving users some sort of assurance the
> package is "valid"; but when you actually look into it -- at least in
> Debian's circumstances -- those signatures can't actually give any
> meaningful assurance for any specific validity.
Don't they g
Blrgh!
OK. So I was working on the problem of fixing dpkg-dev so that
foo Depends: foo-data {SourceVersion}, foo-libs {BinaryVersion}
or something similar actually works. By parsing the version numbers.
Now it's apparently been changed under our noses, in such a way that my
proposed
sch
Henning Makholm wrote:
> Scripsit Chris Boyle <[EMAIL PROTECTED]>
>
>>On Thu, Nov 24, 2005 at 06:54:12PM +, paddy wrote:
>
>
>>>I though a robots.txt thingy on the list web archive is coming to the
>>>rescue ?
>
>
>>Huh? Isn't having the lists searchable generally a good thing?
>
>
> Yes
* Anthony Towns:
> (I'm amazed the security "crisis" we're having is about deb sigs
> *again*, when we're still relying on md5sum which has a public exploit
> available now...)
These exploits are irrelevant as far as the Debian archive is
concerned. (And that's not because hardly any sarge user
On Fri, 25 Nov 2005, Anthony Towns wrote:
> (I'm amazed the security "crisis" we're having is about deb sigs
> *again*, when we're still relying on md5sum which has a public exploit
> available now...)
Do you really want a thread about how we should switch everything to SHA-512
or something like t
Olaf van der Spek <[EMAIL PROTECTED]> writes:
> On 11/25/05, Matthew Palmer <[EMAIL PROTECTED]> wrote:
>> Of course, using the signature on the .changes to verify the .debs
>> independent from the archive at some later date is a nice side-benefit, but
>> one which suffers from the same key-lifetim
Matthew Palmer <[EMAIL PROTECTED]> writes:
> On Fri, Nov 25, 2005 at 03:22:37PM +0100, Goswin von Brederlow wrote:
>> A signature in the deb by a random developer is as trustworthy as the
>> changes file and you already trust that. So we are going from snakeoil
>> to snakoil. No harm done.
>
> It'
Michael Banck <[EMAIL PROTECTED]> writes:
> On Fri, Nov 25, 2005 at 02:38:32PM +0100, Goswin von Brederlow wrote:
>> Michael Banck <[EMAIL PROTECTED]> writes:
>> > On Thu, Nov 24, 2005 at 06:51:24PM +0100, Goswin von Brederlow wrote:
>> >> Wouter Verhelst <[EMAIL PROTECTED]> writes:
>> >> > They w
On 11/25/05, Matthew Palmer <[EMAIL PROTECTED]> wrote:
> Of course, using the signature on the .changes to verify the .debs
> independent from the archive at some later date is a nice side-benefit, but
> one which suffers from the same key-lifetime issues as in-deb signatures,
What exactly is this
On Fri, Nov 25, 2005 at 03:22:37PM +0100, Goswin von Brederlow wrote:
> A signature in the deb by a random developer is as trustworthy as the
> changes file and you already trust that. So we are going from snakeoil
> to snakoil. No harm done.
It's not the same, actually. A signature in a .deb nee
Scripsit Chris Boyle <[EMAIL PROTECTED]>
> On Thu, Nov 24, 2005 at 06:54:12PM +, paddy wrote:
>> I though a robots.txt thingy on the list web archive is coming to the
>> rescue ?
> Huh? Isn't having the lists searchable generally a good thing?
Yes, a very good thing in general. But excluding
Scripsit "Krzysztof Krzyzaniak (eloy)" <[EMAIL PROTECTED]>
> This module has only one function, which is also exported by default:
> subname NAME, CODEREF
> Assigns a new name to referenced sub.
> The name is only used for informative routines (caller, Carp, etc).
Is this really useful enough
Wouter Verhelst <[EMAIL PROTECTED]> writes:
> On Fri, Nov 25, 2005 at 02:03:12PM +0100, Goswin von Brederlow wrote:
>> It just pains me that Debian does not include all the software to
>> build Debian.
>
> Sure it does. It just doesn't include the software that Debian uses to
> automatically build
Daniel Leidert <[EMAIL PROTECTED]> writes:
> Am Donnerstag, den 24.11.2005, 19:53 +0100 schrieb Goswin von Brederlow:
>> An incoming queue for reprepo is a ~100 lines shell script to check the
>> changes file signature and include the files in reprepro. Probably less
>> if you rewrite it in perl.
Simon Richter <[EMAIL PROTECTED]> writes:
>>>IF this means we can switch the effort to a detached signature that is more
>>>powerful than a .changes file (or we are allowed to have multiple signatures
>>> in a .changes file),
>
> That is already possible with gnupg, just not well-documented; I'm n
On Fri, Nov 25, 2005 at 02:03:12PM +0100, Goswin von Brederlow wrote:
> Wouter Verhelst <[EMAIL PROTECTED]> writes:
> > It's in Debian, and it's easy to use and understand. If it doesn't
> > diverge too far from the sbuild actually on svn.cyberhqz.com, it's also
> > good enough to give you a workin
Henrique de Moraes Holschuh <[EMAIL PROTECTED]> writes:
> On Thu, 24 Nov 2005, Anthony Towns wrote:
>> On Thu, Nov 24, 2005 at 07:39:57AM +0100, Marc Haber wrote:
>> > >Uh, packages not uploaded to the official Debian archive can do whatever
>> > >they want.
>> > It would, however, be convenient t
Anthony Towns writes:
> On Thu, Nov 24, 2005 at 07:47:58PM +0100, Goswin von Brederlow wrote:
>> Anthony Towns writes:
>> > On Wed, Nov 23, 2005 at 09:18:40PM +0100, Goswin von Brederlow wrote:
>> >> Use 1: I have this deb in my apt-move mirror and I want to know if it
>> >>was compromis
On Fri, Nov 25, 2005 at 02:38:32PM +0100, Goswin von Brederlow wrote:
> Michael Banck <[EMAIL PROTECTED]> writes:
> > On Thu, Nov 24, 2005 at 06:51:24PM +0100, Goswin von Brederlow wrote:
> >> Wouter Verhelst <[EMAIL PROTECTED]> writes:
> >> > They were, originally. Ryan's been very active on it si
Steve Langasek <[EMAIL PROTECTED]> writes:
> On Thu, Nov 24, 2005 at 07:17:06PM +0100, Goswin von Brederlow wrote:
>
>> > That's easy: you trust the Packages file to be correct when using apt,
>> > and it's not verified at all by per-package signatures.
>
>> In what way trust and how does that cha
Anthony Towns writes:
> On Thu, Nov 24, 2005 at 06:28:04PM +0100, Florian Weimer wrote:
> If you just want to check hashes, you should just use changes files. If
> you _actually_ want to check hashes, and this isn't just a thought
> experiment, working out a usable way to deliver .changes for wha
Adeodato "=?utf-8?B?U2ltw7M=?=" <[EMAIL PROTECTED]> writes:
> * Goswin von Brederlow [Thu, 24 Nov 2005 18:51:24 +0100]:
>
> Hi,
>
>> Wouter Verhelst <[EMAIL PROTECTED]> writes:
>
>> > They were, originally. Ryan's been very active on it since, and it's
>> > diverged a bit from the code you're main
Michael Banck <[EMAIL PROTECTED]> writes:
> On Thu, Nov 24, 2005 at 06:51:24PM +0100, Goswin von Brederlow wrote:
>> Wouter Verhelst <[EMAIL PROTECTED]> writes:
>> > They were, originally. Ryan's been very active on it since, and it's
>> > diverged a bit from the code you're maintaining.
>>
>> Th
Michael Banck <[EMAIL PROTECTED]> writes:
> On Thu, Nov 24, 2005 at 06:44:42PM +0100, Goswin von Brederlow wrote:
>> Michael Banck <[EMAIL PROTECTED]> writes:
>> > On Wed, Nov 23, 2005 at 03:50:11PM +0100, Goswin von Brederlow wrote:
>> >> If you NEED to do a manual binNMU it is probably best to
Wouter Verhelst <[EMAIL PROTECTED]> writes:
> On Thu, Nov 24, 2005 at 06:51:24PM +0100, Goswin von Brederlow wrote:
>> Wouter Verhelst <[EMAIL PROTECTED]> writes:
>> > I personally see the packages in unstable as something good for
>> > end-users who want to use it, or understand how the system wo
Hello sean,
sean finney <[EMAIL PROTECTED]> wrote:
> hi joerg,
>
> On Sun, Nov 20, 2005 at 10:23:58AM +, Joerg Sommer wrote:
>> I've got a bug report (#336527) my package bootchart-view do not work
>> with j2re1.3. But j2re1.3 is not in Debian. Can I set a conflict upon a
>> packages that is n
Hello Steve,
Steve Langasek <[EMAIL PROTECTED]> wrote:
> On Sun, Nov 20, 2005 at 11:50:55PM +, Joerg Sommer wrote:
>> Steve Langasek <[EMAIL PROTECTED]> wrote:
>
>> > "Does not work with j2re1.3" means you should be depending on what it
>> > *does*
>> > work with, not trying to conflict with
Hi,
Anthony Towns wrote:
The problem is that using gzip and ar is complicated, which adds
possibilities for errors. You might find yourself not putting the deb
together again and getting false signature mismatches, or worse, you
might find yourself only verifying part of the .deb, and having dp
Si deseas desinscribirte de esta lista, envia un correo a [EMAIL PROTECTED] solicitandolo. Gracias
On Thu, Nov 24, 2005 at 10:36:41PM +0100, Thiemo Seufer wrote:
> > I can see arguments against it, but none that make
> > it an RC bug.
> Policy violations are RC by definition.
Actually, no; policy violations are RC by *default*, but the definition of
what's release-critical for a release is set
* Hamish Moffatt [Fri, 25 Nov 2005 20:34:02 +1100]:
> On Wed, Nov 23, 2005 at 05:34:41PM +0100, Jeroen van Wolffelaar wrote:
> > In the archive, 525 out of 283283 .deb's are dpkg-sig'd (0.19%). There
> > are 8 distinct keys used for those 525 .deb's, seven of which correspond
> > to DD's[1].
> Sl
On Wed, Nov 23, 2005 at 05:34:41PM +0100, Jeroen van Wolffelaar wrote:
> In the archive, 525 out of 283283 .deb's are dpkg-sig'd (0.19%). There
> are 8 distinct keys used for those 525 .deb's, seven of which correspond
> to DD's[1].
Slightly off the topic, but does this mean the archive contains .
* Bastian Blank <[EMAIL PROTECTED]> [2005-11-24 23:45]:
> On Thu, Nov 24, 2005 at 10:48:39PM +0100, Rafael Laboissiere wrote:
> > Yes, I have been doing things wrongly in the past, but this is not the
> > case anymore. The Changed-By fields are correct now. See, for instance,
> > my last upload:
Quoting Paul LeoNerd Evans <[EMAIL PROTECTED]>:
> I'm not too familiar with creating a source package that can create
> multiple binary packages, but I have a local modification of the "sudo"
> source package which creates a "sudo-ldap" binary package. This is built
> using LDAP support.
>
> If yo
On Thu, Nov 24, 2005 at 07:17:06PM +0100, Goswin von Brederlow wrote:
> > That's easy: you trust the Packages file to be correct when using apt,
> > and it's not verified at all by per-package signatures.
> In what way trust and how does that change anything?
> At best you can prevent a newer ve
Toi can mua ve may bay di BomBay An Do xin vui long bao gia dum.
Ve khu hoi.
57 matches
Mail list logo
